I've inherited maintenance of a ZNE 5.0.13 server.

Services I want to offer:
-----------------------------
SMTP+AUTH+STARTTLS only on 25, and SMTP+AUTH+STARTTLS only on submission 587, SMTPS on 465 (for STARTTLS incapable clients); and, be absolutely certain no users send their password unencrypted -- so, forbid PLAINTEXT AUTH entirely. Obviously, I have to accept unencrypted delivery from other MTAs on 25.

IMAP+STARTTLS only on 143, IMAPS on 993 (for STARTTLS incapable clients like MacOS Mail.app); and, again, be absolutely certain no users send unencrypted credentials -- so, forbid PLAINTEXT AUTH on 143.

No POP3, period.


A few questions because I'm new to Zimbra, and the box is really only half configured, and I don't know where to look.


About certificates:
----------------------

The hostname is: "server.example.com".

All services run as, and the certificates are issued to, "mail.example.com". Means: https, imaps, smtp, smtps all run for users as "mail.example.com".

The CSR was not generated using Zimbra, these are old certificates we already have from other services.

I can see the installed certificate in the HTTP Admin Console.

We have installed the above commercial GeoTrust cert, key, their CA cert, and our CSR into /opt/zimbra/ssl/zimbra/commercial/commercial{_ca}.{crt,csr,key}.

1) Which Zimbra components use the "commercial" files? What is the significance of the "ca/" and "server/" directories and files?

2) Must the commercial.key file be unencrypted, e.g. password-less? I assume so.

3) Permissions on the cert related files are 644. From the wiki, I believe this is incorrect; they should be 740?

4) From /var/log/mail.log, postfix wants /opt/zimbra/conf/smtpd.key. How do I make it happy? Should I copy/link the password-less commercial.key file here?

5) I also installed the OS package containing root certificates. Is this relevant?


Logging/Debugging
-------------------------

The best (certified) wiki article I can find on this is for 4.5.

It seems I must read /var/log/mail.* for postfix, but everything else is under /opt/zimbra/logs?

In /opt/zimbra/logs/mailbox.log (I guess it's the main log file), I don't see clients connecting to check their IMAP (e.g. "Get new mail" on a client doesn't generate any log entries). Zimbra *does* log a client changing IMAP folders; e.g. on client, viewing INBOX, click "Sent Mail", gives me a log hit.

1) Where do I turn up IMAP logging to log all IMAP transactions?



Sorry if lots of this covered in various places. Please point me docs if it's easier. I have some specifics tasks I want to cover quickly, so I do appreciate any direct answers. I'm happy to add responses to any wiki pages as necessary.


Thanks in advance!